Feeds

Unpatched Mac OS X hole poses critical risk

Hackers go on Safari

SANS - Survey on application security programs

Security researchers have discovered a vulnerability in Mac OS X that creates a means for hackers to compromise vulnerable systems. The critical security flaw is unpatched but workarounds have been issued.

The flaw stems from errors in the processing of metadata file association meta data in ZIP archives. By renamed "safe file" extensions stored in ZIP archives, hackers could trick users into executing malicious shell scripts. The security bug might also be used to attack Apple Safari browser users by creating a means for attackers to automatically run malign code when a Safari user visits a malicious-constructed website, an even more potent exploit scenario.

The vulnerability has been confirmed on a fully patched system with Safari 2.0.3 and Mac OS X 10.4.5. Early versions might also be affected. Security notification firm Secunia has published a test here. It advises users to protect themselves against exploit by disabling the "Open safe files after downloading" option in Safari. Mac users should also avoid opening files in Zip archives that originate from untrusted sources.

"This is yet another example of the continuing spread of malicious code onto other platforms," said Alfred Huger, senior director of engineering at Symantec Security Response. "While there is no known exploit at this time, users are encouraged to turn off the 'Open safe files after downloading option' in their Safari browsers and watch for further information from Apple."

Discovery of the vulnerability follows last week's discovery of two low-level worms targeting Mac OS X: Leap-A and Inqtana-A. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.